ThreatExpert Report: Mal/Dropper-AE, Mal/Emogen-H, Mal/Emogen-F, Trojan-Downloader.Win32.VB..

Submission Summary:

Submission details:

Submission received: 14 May 2009, 02:53:38
Processing time: 9 min 3 sec
Submitted sample:

File MD5: 0x66EB1B2960C73D2F51702AC0A004CE06
File SHA-1: 0x354D7454649787AB4042DCE5190C9502BB30B517
Filesize: 1,426,358 bytes

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
RogueAntiSpyware.WinSpywareProtect	RogueAntiSpyware.WinSpywareProtect is a Rogue Anti-Spyware application which generates fake detections in order to persuade the user into buying their product before they can remove these detections.

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\TDDOWNLOAD\123.exe	1,476,701 bytes	MD5: 0xC7B11D3CCDD03267B52401FE43B74248 SHA-1: 0xC428AB959343F62C6C4086DFED551701D561CFB6	Mal/Dropper-AE [Sophos]
2	%ProgramFiles%\ecplor	45,056 bytes	MD5: 0xE417CBD76FFB10255A4CC3A5899A49A7 SHA-1: 0x5246FA6BBD389C75C94F94FB27D615B4DFB786F1	Mal/Emogen-H, Mal/Emogen-F [Sophos] Trojan-Downloader.Win32.VB [Ikarus] Win-Trojan/Xema.variant [AhnLab]
3	c:\system.bat	87 bytes	MD5: 0x7CC2CDD926348501227EDBA43732DD34 SHA-1: 0x1261593295B531258FB3397176748D06E70B8FEC	(not available)
4	%Windir%\360SE.exe	149,750 bytes	MD5: 0x1C66BFD425DE59864A997E43C274B356 SHA-1: 0x3B6B8ABF40849407972EB69A6EA1DFFE52FFCDE3	Trojan Horse [Symantec]
5	%Windir%\aeyhd.exe %Windir%\gizta.exe	73,728 bytes	MD5: 0xB3BE5EE10078B5FE49A80039B3C5EB48 SHA-1: 0x17D30CEB6334E1CE1631A09B9A143E11188318AE	Trojan.Adclicker [Symantec] Trojan-Downloader.Win32.VB [Ikarus] Win-Trojan/Xema.variant [AhnLab]
6	%Windir%\kaoni.exe	1,302,528 bytes	MD5: 0x17D2CD9E9186E028CE2B09636F9E847B SHA-1: 0x13228AFEC597B503619AA5166A751E792DF5A1BF	(not available)
7	%Windir%\svcho.exe	98,304 bytes	MD5: 0xDC69EF6DC12EBBF259096C7F9912A0AD SHA-1: 0x72514A7FDC14DBDE815A1A8C4B6644D9ED5BE2B6	Mal/Behav-216 [Sophos]
8	[file and pathname of the sample #1]	1,426,358 bytes	MD5: 0x66EB1B2960C73D2F51702AC0A004CE06 SHA-1: 0x354D7454649787AB4042DCE5190C9502BB30B517	(not available)

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directory was created:

%Temp%\TDDOWNLOAD

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
kaoni.exe	%Windir%\kaoni.exe	1,302,528 bytes
aeyhd.exe	%Windir%\aeyhd.exe	77,824 bytes
ecplor	%ProgramFiles%\ecplor	49,152 bytes
gizta.exe	%Windir%\gizta.exe	77,824 bytes
360SE.exe	%Windir%\360SE.exe	180,224 bytes
svcho.exe	%Windir%\svcho.exe	24,576 bytes
[generic host process]	[generic host process filename]	45,056 bytes
123.exe	%Temp%\TDDOWNLOAD\123.exe	135,168 bytes

Notes:

[generic host process filename] is a full path filename of [generic host process].

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Key was created:

HKEY_CURRENT_USER\Software\WinRAR SFX

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%WINDOWS = "C:\WINDOWS"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) = 0x0000000C

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) = 0x0000000C

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Russian Federation

To mark the presence in the system, the following Mutex objects were created:

_!SHMSFTHISTORY!_
DesktopCleanupMutex

The following ports were open in the system:

Port	Protocol	Process
1035	UDP	kaoni.exe (%Windir%\kaoni.exe)
1043	UDP	kaoni.exe (%Windir%\kaoni.exe)

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
c.wauee.com	80	(null)	(null)
uorku.cn	80	(null)	(null)

The following GET requests were made:

down/downtj.html
down/index.jpg
click?pid=15&mid=19483&channel=1&pt=xiaoming
index.jpg

The following HTTP URL was started reading:

http://uorku.cn/down/soft2/FunshionInstall_C50957.exe|http://uorku.cn/down/soft2/lsass.exe|http://uorku.cn/down/soft2/svchost.exe|http://uorku.cn/down/soft2/task.exe

The data identified by the following URL was then requested from the remote web server:

http://www.uorku.cn/cpa/cpa.txt

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.